Method for vehicle  intrusion detection with mobile router

ABSTRACT

A method of operating a mobile router installed in a vehicle is provided. The vehicle comprises a vehicle network bus coupled to a plurality of electronic control units. The mobile router comprises: a wireless wide area network interface a wireless local area network interface; an interface to the vehicle network bus; a processor; and a memory comprising a plurality of programs. The plurality of programs comprises an intrusion detection program executable by the processor. The method of operating a mobile router comprises: monitoring data on the vehicle network bus; utilizing the intrusion detection program to detect one or more anomalies in the monitored data; and generating an alert upon detection of one or more of anomalies.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation-in-part of U.S. patentapplication Ser. No. 12/514,049 filed as PCT Application No.PCT/US07/11624 filed on May 15, 2007 and claiming priority to U.S.provisional application Ser. No. 60/800,749, filed May 16, 2006, U.S.provisional application Ser. No. 60/800,679, filed May 16, 2006 andclaiming priority to U.S. provisional application Ser. No. 60/800,750,filed May 16, 2006. The disclosure of Ser. No. 12/514,049 isincorporated herein by reference.

FIELD

The present invention relates to detecting unauthorized access tovehicular computer control systems.

BACKGROUND

As the Automotive industry moves towards connected cars and autonomousvehicles, “car hacking” or placing malware onto vehicle electronicscontrol systems is becoming a growing concern for auto manufactures.Such unauthorized access is referred to as an “intrusion”. Themethodology of detecting unauthorized access to computer networks orsystems is referred to as “intrusion detection.”

While new security architectures are being developed for newer cars,these architectures will take years to implement and won't apply tovehicles already built and being built for some time.

It is desirable to provide a system and method for detecting such anintrusion for vehicles that do not have security architectures or todetect intrusions for those vehicles that do have intrusion preventionarchitectures when such prevention fails.

SUMMARY

In accordance with the principles of the invention a securityarrangement is provided that can be used on current vehiclearchitectures to monitors critical elements of the vehicle and providealerts when a vehicle has been compromised minimizing the risk ofsuccessful “car hacking”.

An electronic control unit is provided for installation in a vehicle.The electronic control unit is operable to provide intrusion detectionfor the vehicle electronics. The electronic control unit comprises: aprocessor; a memory; and an interface to a vehicle network bus coupledto vehicle electronic control units. The processor utilizes theinterface to monitor data on the vehicle network bus. An intrusiondetection program is stored in the memory and is executable by theprocessor. The processor utilizes the intrusion detection program todetect one or more anomalies in the monitored data. The electroniccontrol unit generates an alert upon detection of one or more anomalies.

The intrusion detection program may comprise statistical anomalydetection.

The intrusion detection program may further comprise and utilize Bayes'Law.

The alert generated by the electronic control unit may be transmitted toone or more of a man-machine interface in the vehicle, a remotelylocated device, a mobile device, or a server.

In various embodiments of the electronic control unit, the vehiclenetwork bus comprises a Controller Area Network (CAN) bus.

In various embodiments of the electronic control unit, the statisticalanomaly detection may utilize a profile of normal data on the vehiclebus based upon learned data. The normal data may comprise one or more ofan amount of normal traffic, identification of normal messages,identification of normal vehicle device-to-device communication, andidentification of normal sensor data.

In another embodiment of the electronic control unit, the intrusiondetection program comprises specification based anomaly detection. Theintrusion detection program ignores all specification compliant data onthe vehicle network bus and generates an alert for data on the vehiclenetwork bus that is not specification compliant.

The electronic control unit may be operable to receive at least one ofcalibration information and update information for the intrusiondetection program.

In one embodiment of the electronic control unit, specification-basedanomaly detection is utilized to detect one or more of accelerationpatterns, braking patterns, original equipment manufacturer (OEM)provided patterns, counterfeit airbags, spoofing of vehicle bus messagesand/or identifications, and invalid bus identifications.

In an embodiment, the electronic control unit comprises an anomalydetection engine. The anomaly detection engine may comprise one ofstatistical anomaly detection and specification based anomaly detection.

In the various embodiments of the electronic control unit, the anomaliesmay comprise one of re-flashing of an electronic control unit memory,and predetermined radio frequency hub activity in the vehicle.

An embodiment is provided of a mobile router for installation in avehicle comprising a vehicle network bus coupled to a plurality ofelectronic control units. The mobile router comprises: a processor; amemory comprising a plurality of programs; a wireless wide area networkinterface; a wireless local area network interface; and an interface tothe vehicle network bus coupled to vehicle electronic control units. Theprocessor utilizes the interface to monitor data on the vehicle networkbus. The plurality of programs comprises an intrusion detection programexecutable by the processor to detect one or more anomalies in themonitored data; and to generate an alert upon detection of one or moreanomalies.

In the embodiment of the mobile router, the intrusion detection programis isolated from the other programs stored in the memory. In theembodiment, the memory comprises a first memory portion comprising theintrusion detection program and a second memory portion comprising theother programs.

In one embodiment of the mobile router, the intrusion detection programcomprises statistical anomaly detection. The intrusion detection programmay comprise Bayes' Law. The statistical anomaly detection utilizes aprofile of normal data on the vehicle bus based upon learned data. Thenormal data comprises one or more of an amount of normal traffic,identification of normal messages, identification of normal vehicledevice-to-device communication, and identification of normal sensordata.

In the embodiment, the mobile router transmits the alert to one of aman-machine interface in the vehicle, a mobile device, and a server. Themobile router may transmit the alert via a selected one of the wide areanetwork interface and the local area network interface to one of amobile device and a server.

In one embodiment of the mobile router, the vehicle network buscomprises a Controller Area Network (CAN) bus.

In another embodiment of the mobile router, the intrusion detectionprogram comprises specification based anomaly detection. The intrusiondetection program ignores all specification compliant data on thevehicle network bus and generates the alert for data on the vehiclenetwork bus that is not specification compliant.

In an embodiment of the mobile router, the wireless wide area networkinterface and the wireless local area network interface area selectivelyoperable to receive at least one of calibration information and updateinformation for the intrusion detection program.

In the embodiment, the mobile router transmits the alert to one of aman-machine interface in the vehicle, a mobile device, and a server. Themobile router may transmit an alert via a selected one of the wide areanetwork interface and the local area network interface to one of amobile device and a server.

The specification-based anomaly detection of the embodiment of themobile router may be utilized to detect one or more of accelerationpatterns, braking patterns, original equipment manufacturer (OEM)provided patterns, counterfeit airbags, and invalid bus identifications.

The wireless wide area network interface and the wireless local areanetwork interface of the mobile router are selectively operable toreceive at least one of calibration information and update informationfor the intrusion detection program.

In the embodiment of the mobile router, the intrusion detection programcomprises an anomaly detection engine. The anomaly detection engine maycomprise one of statistical anomaly detection and specification basedanomaly detection. The anomalies detected may comprise one ofre-flashing of an electronic control unit memory, and predeterminedradio frequency hub activity in the vehicle.

In an embodiment of a vehicle, the vehicle comprises: a vehicle networkbus; one or more electronic control units coupled to the bus. Oneelectronic control unit comprises: a processor; a memory; an interfaceto the vehicle network bus; and an intrusion detection program stored inthe memory and executable by the processor. The processor utilizes theinterface to monitor data on the vehicle network bus and utilizes theintrusion detection program to detect one or more anomalies in themonitored data. The electronic control unit generates an alert upondetection of one or more anomalies.

In one embodiment of a vehicle, the intrusion detection program maycomprise statistical anomaly detection, and, may further comprise Bayes'Law.

The statistical anomaly detection in the vehicle may utilize a profileof normal data on the vehicle bus based upon learned data. The normaldata may comprise one or more of an amount of normal traffic,identification of normal messages, identification of normal vehicledevice-to-device communication, and identification of normal sensordata.

The vehicle electronic control unit may transmit the alert to one of aman-machine interface in the vehicle, a mobile device, and a server.

In various embodiments of the vehicle, the vehicle network bus maycomprise a Controller Area Network (CAN) bus.

In other embodiments of the vehicle, the intrusion detection programcomprises specification based anomaly detection. The intrusion detectionprogram ignores all specification compliant data on the vehicle networkbus and generates the alert for data that is not specificationcompliant.

The specification-based anomaly detection may be utilized to detect oneor more of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications.

In embodiments of the vehicle, the wireless wide area network interfaceis operable to receive at least one of calibration information andupdate information for the intrusion detection program.

The electronic control unit transmits the alert to one of a man-machineuser interface in the vehicle, a mobile device, and a server.

In various embodiments of the vehicle, the electronic control unit isoperable to receive at least one of calibration information and updateinformation for the intrusion detection program.

Various embodiments of a vehicle may comprise an anomaly detectionengine. The anomaly detection engine may comprise one of statisticalanomaly detection and specification based anomaly detection.

In various embodiments of a vehicle, the anomalies may comprise one ofre-flashing of an electronic control unit memory, and predeterminedradio frequency hub activity in the vehicle.

A method is provided for vehicle intrusion detection for a vehiclecomprising a vehicle network bus and electronic control units coupled tothe vehicle network bus. The method comprises providing the vehicle withone electronic control unit comprising: a processor; a memory; and aninterface to the vehicle network bus. The method further comprises:operating the electronic control unit to monitor data on the vehiclenetwork bus; storing an intrusion detection program in the memory;operating the processor to execute the intrusion detection program todetect one or more types of anomalies in the monitored data; andoperating the electronic control unit to generate an alert upondetection of one or more anomalies.

The method for a vehicle may further comprise utilizing statisticalanomaly detection to detect one or more types of anomalies; and may alsocomprise utilizing Bayes' Law to detect one or more types of anomalies.

The method for a vehicle may further comprise utilizing a profile ofnormal data on the vehicle bus based upon learned data for statisticalanomaly detection; and may further comprise selecting the normal data tobe one or more of an amount of normal traffic, identification of normalmessages, identification of normal vehicle device to devicecommunication, and identification of normal sensor data.

The method for a vehicle may further comprise operating the electroniccontrol unit to transmit the alert to one of a man-machine interface inthe vehicle, a mobile device, and a server.

In one embodiment of the method for a vehicle, the vehicle network busmay comprise a Controller Area Network (CAN) bus.

In other embodiments of the method for a vehicle, the method maycomprise utilizing specification based anomaly detection in theintrusion detection program. The method may further comprise: operatingthe electronic control unit to ignore all specification compliant dataon the vehicle network bus; and generating the alert for data on thevehicle network bus that is not specification compliant.

In various embodiments of a method for a vehicle, the electronic controlunit may comprise a wireless wide area network interface and the methodmay comprise receiving at least one of calibration information andupdate information for the intrusion detection program via the wirelesswide area network interface.

The method for the vehicle may further comprise utilizing thespecification-based anomaly detection to detect one or more ofacceleration patterns, braking patterns, original equipment manufacturer(OEM) provided patterns, counterfeit airbags, spoofing of vehicle busmessages and/or identifications and invalid bus identifications.

The method for the vehicle may further comprise providing the electroniccontrol unit with an anomaly detection engine. The method my yet furthercomprise selecting the anomaly detection engine to comprise one ofstatistical anomaly detection and specification based anomaly detection.

In embodiments of the method for the vehicle, the anomalies may compriseone of re-flashing of an electronic control unit memory, andpredetermined radio frequency hub activity in the vehicle.

Further embodiments of the invention are directed to a method ofoperating a mobile router installed in a vehicle. The vehicle comprisesa vehicle network bus coupled to a plurality of electronic controlunits. The mobile router comprises: a wireless wide area networkinterface a wireless local area network interface; an interface to thevehicle network bus; a processor; and a memory comprising a plurality ofprograms. The plurality of programs comprises an intrusion detectionprogram executable by the processor.

The method of operating a mobile router comprises: monitoring data onthe vehicle network bus; utilizing the intrusion detection program todetect one or more anomalies in the monitored data; and generating analert upon detection of one or more of anomalies.

The method further may comprise isolating the intrusion detectionprogram from the other of the plurality of programs. The method maycomprise storing the intrusion detection program in a first memoryportion and storing the other programs in a second memory portion.

The method of operating a mobile router may further comprise utilizingstatistical anomaly detection in the intrusion detection program. Themethod may yet further comprise utilizing Bayes' Law.

The method of operating a mobile router may include transmitting thealert to one of a man-machine interface in the vehicle, a mobile device,and a server. The method may further include transmitting the alert viaa selected one of the wide area network interface and the local areanetwork interface to one of a mobile device and a server.

The method of operating a mobile router may further comprise utilizing aprofile of normal data on the vehicle bus based upon learned data todetect anomalies. The normal data may comprise one or more of an amountof normal traffic, identification of normal messages, identification ofnormal vehicle device-to-device communication, and identification ofnormal sensor data.

In various embodiments, the method of operating the mobile router maycomprise utilizing specification based anomaly detection in theintrusion detection program, and further may comprise ignoring allspecification compliant data on the vehicle network bus; and generatingan alert for data on that is not specification compliant.

In various embodiments, the method of operating the mobile router maycomprise utilizing specification-based anomaly detection to detect oneor more of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications. The method may further comprise receiving at leastone of calibration information and update information for the intrusiondetection program via a selected one of the wireless wide area networkinterface and the wireless local area network interface.

In the various embodiments, the method of operating the mobile routermay comprise: providing an anomaly detection engine; and utilizing theanomaly detection engine. The method may further comprise selecting theanomaly detection engine to comprise one of statistical anomalydetection and specification based anomaly detection.

In the various embodiments, the method of operating the mobile routermay comprise detecting anomalies comprising one of re-flashing of anelectronic control unit memory, and predetermined radio frequency hubactivity in the vehicle.

A method of operating a predetermined electronic control unit isprovided for a vehicle comprising: a vehicle network bus and one or moreelectronic control units coupled to the bus. The method comprises:providing the predetermined electronic control unit of with a processor,a memory, an interface to the vehicle network bus, and an intrusiondetection program. The method further comprises: utilizing thepredetermined electronic control unit to monitor data on the vehiclenetwork bus; executing the intrusion detection program to detect one ormore anomalies in the monitored data; and utilizing the predeterminedelectronic control unit to generate an alert upon detection of one ormore anomalies.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise utilizing statistical anomalydetection in the intrusion detection program.

In the various embodiments, the method of operating a predeterminedelectronic control unit may further comprise utilizing Bayes' Law in theintrusion detection program.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise utilizing the predetermined unit totransmit the alert to one of a man-machine interface in the vehicle, amobile device, and a server.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise utilizing the predetermined unit totransmit the alert to one of the mobile device and the server via thewireless wide area network interface.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise operating the predetermined unit toutilize a profile of normal data on the vehicle bus, the profile ofnormal data being based upon learned data. The method may compriseselecting the normal data to comprise one or more of an amount of normaltraffic, identification of normal messages, identification of normalvehicle device-to-device communication, and identification of normalsensor data.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise providing the intrusion detectionprogram with specification based anomaly detection. The method mayfurther comprise executing the intrusion detection program to ignore allspecification compliant data on the vehicle network bus; and operatingthe predetermined unit to generate the alert for data on the vehiclenetwork bus that is not specification compliant.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise operating the predetermined unit toreceive at least one of calibration information and update informationfor the intrusion detection program via the wireless wide area networkinterface.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise operating the predetermined unit toutilize specification-based anomaly detection to detect one or more ofacceleration patterns, braking patterns, original equipment manufacturer(OEM) provided patterns, counterfeit airbags, and invalid busidentifications.

In the various embodiments, the method of operating a predeterminedelectronic control unit may comprise providing the predetermined unit ananomaly detection engine. The method may further comprise selecting theanomaly detection engine to comprise one of statistical anomalydetection and specification based anomaly detection. In the variousembodiments, the method of operating the vehicle may comprise operatingthe predetermined unit may comprise selecting the anomalies to compriseone of re-flashing of an electronic control unit memory, andpredetermined radio frequency hub activity in the vehicle.

BRIEF DESCRIPTION OF THE DRAWING

The invention will be better understood by reading the followingdetailed description in conjunction with the drawing figures in whichlike designators refer to like elements, and in which:

FIG. 1 is a block diagram of a first mobile router network arrangement;

FIG. 2 is a block diagram of an expanded mobile router networkarrangement;

FIG. 3 is a block diagram of a further expanded mobile router networkarrangement;

FIG. 4 is a block diagram of a mobile router;

FIG. 5 is a more detailed block diagram of the mobile router of FIG. 4;

FIG. 6 is a block diagram of a second embodiment of a mobile router;

FIG. 7 is a block diagram of a vehicle;

FIG. 8 is a block diagram of a second embodiment of a vehicle;

FIG. 9 illustrates method steps of a first method embodiment;

FIG. 10 illustrates method steps of a second method embodiment; and

FIG. 11 illustrates method steps of a third method embodiment;

DETAILED DESCRIPTION

Mobile routers are wireless routers that typically permit a mobiledevice located in a vehicle that to maintain a connection to a wide areanetwork and thereby greatly expand the mobility of the mobile device.Mobile routers are fully operable whether the vehicle having a mobilerouter installed therein is in motion or stationary. The mobile routermay maintain connection to the Internet as it travels across cellularnetworks.

FIG. 1 illustrates a mobile router network 100. Mobile router network100 comprises a plurality of vehicles 101, each having therein a mobilerouter 112. Each vehicle 101 includes a wireless local area network 115.Each wireless local area network 115 may be in communication with one ormore corresponding mobile devices 116 via a wireless communication link114. Each wireless local area network 115 includes mobile router 112 andmay or may not include one or more mobile devices 116. Each wirelesslocal area network 115 may be, for example, a network compliant withindustry standard IEEE 802.11 network, i.e., a Wi-Fi network, or anetwork compliant with industry standard IEEE 802.16, i.e., a WiMAXnetwork, or a Bluetooth network, or any other suitable wireless network.

Each mobile device 116 may be any processor based device having awireless transceiver capable of receiving and transmitting data via thewireless communication link 114. For example, one mobile device 116 maybe a laptop (or notebook) computer equipped with a wireless networkinterface card, a wireless-enabled PDA, a pocket or palmtop computer, aWi-Fi phone (e.g., a Skype phone or VoIP phone), a Wi-Fi appliance, aSony PlayStation PSP or some other portable, network-enabled gamingstation, a video screen, a digital camera, an audio player, a navigationdevice, a security camera, an alarm device, a wireless payment or POSdevice, or an automotive electronic device.

Mobile router 112 may act as a gateway between wireless network 115 anda backhaul network 120. In one embodiment, backhaul network 120 is acellular wireless network. Backhaul network 120 in turn may be connectedto the Internet 118 or any other network, such as an intranet or anotherWAN, via a gateway 124.

Mobile router 112 communicates with the backhaul network 120 via abackhaul wireless communication link 122. Backhaul wirelesscommunication link 122 may be provided by a wireless network that ispart of the backhaul network 120, such as a cellular wireless network.The cellular wireless network may be of any type.

Examples of such types of cellular network, include but are not limitedto the following types: a Global System for MobileCommunications/General Packet Radio Service (GSM/GPRS) link; a UMTS(Universal Mobile Telecommunications System) link; a Code DivisionMultiple Access (CDMA) link; an Evolution-Data Optimized (EV-DO) link;an Enhanced Data Rates for GSM Evolution (EDGE) link; a 3GSM link; aDigital Enhanced Cordless Telecommunications (DECT) link; a Digital AMPS(IS-136/TDMA) link; an Integrated Digital Enhanced Link (iDEN) link; aWiMAX link; or any other suitable wireless link.

Each mobile router 112 and its corresponding mobile device 116 areco-located in a vehicle 101 so that mobile router 112 is capable ofbeing mobile and operable to establish connectivity whether mobile orstationary such that each end-user of a mobile device 116 can enjoywireless connectivity to Internet 118 via mobile router 112 as thevehicle travels through cells or nodes associated with wireless network122. Vehicle 101 may be any type of vehicle that travels over and/orunder land, over and/or under water, or in the air or space. The typicalmost common type of vehicle 101 that is likely to include a mobilerouter is a car, truck, or bus.

Each mobile router 112 may be mounted in a corresponding vehicle 101 ina secure and generally tamper-resistant location. For example, themobile router 112 may be mounted in the trunk of an automobile, and theend-user of the mobile device 116 may be a passenger or driver of theautomobile. That way, the end-user could enjoy wireless connectivity asthe automobile moves between cells of the wireless network 122.

Although only one mobile device 116 is shown in communication with eachmobile router 112 shown in FIG. 1, numerous mobile devices 116 may be incommunication with a corresponding mobile router 112 via thecorresponding local area network 115.

Cellular network cell site transceiver 130 may be used to provide acellular link to mobile router 112 and both receive and transmitwireless signals to a mobile router 112 via one of the wireless cellularcommunication links 122. A cellular communication network 132 ofcellular backhaul network 120 may communicate via the worldwide web orInternet 118 or another network via one or more gateways 124. Eachcommunication network 132 may include conventional communication networkelements to provide wireless cellular network service for each mobilerouter 112.

Each vehicle 101 includes a vehicle network bus 591 that is more fullydescribed herein below. Each mobile router 112 is coupled to itscorresponding vehicle's vehicle network bus 591

Turning now to FIG. 2, mobile router network 100 is shown in a moreexpanded networked arrangement in which cellular backhaul network 120 isshown as having a plurality of cell site transceivers 130, each of whichcan communicate with one or more vehicles 101 having a mobile router 112therein. FIG. 2 shows one gateway 124 to Internet 118, but it will beappreciated that there may be a plurality of such gateways 124, each ofwhich may have access to the Internet 118 or to another network.

Turning now to FIG. 3, mobile router network 100 is illustrated infurther expanded form to show that in which there may be a plurality ofcellular backhaul networks 120 each comprising a number of cell sitetransceivers, each located in different areas serviced by the backhaulnetworks 120, such that each mobile router 112 may stay in communicationwith a backhaul network 120 as each mobile router 112 moves betweencells or nodes of the backhaul networks 120. It will be appreciated bythose skilled in the art, that there is virtually no limit to the sizeof mobile router network 100.

Each of FIGS. 1 through 3 shows that mobile router network 110 comprisesat least one network operations center 141. Network operations center141 comprises a database 143 and a network management system 145.Network management system 145 is a combination of hardware and softwareused to monitor and administer or otherwise manage mobile router network100. Each mobile router 112 is managed as an individual network element.

Network management system 145, comprises an authentication server 129, asession manager 131, and a communication server 133. Communicationserver 133 is a combination of hardware and software used to managecommunications between mobile routers 120, and network management system145.

FIG. 4 is a simplified block diagram of a mobile router 112 situated ina vehicle 101. Mobile router 112 comprises processor 440, one or morememory units 442, a backhaul network interface or wide area networkinterface or cellular network interface 444, and a local networkinterface 446. A system bus 448 interconnects processor 440, memoryunits 442, backhaul network interface 444 and local network interface446.

Backhaul or cellular network interface 444 interfaces with and providesa wireless communication link with backhaul or cellular network 120 viacell site transceiver 130. Backhaul or cellular network interface 444may interface with one or more types of wireless cellular communicationlinks 122. For example, the backhaul cellular network interface 444 mayinterface to any one or more of: a Global System for MobileCommunications/General Packet Radio Service (GSM/GPRS) link; a UMTS(Universal Mobile Telecommunications System) link; a Code DivisionMultiple Access (CDMA) link; an Evolution-Data Optimized (EV-DO) link;an Enhanced Data Rates for GSM Evolution (EDGE) link; a 3GSM link; aDigital Enhanced Cordless Telecommunications (DECT) link; a Digital AMPS(IS-136/TDMA) link; an Integrated Digital Enhanced Link (iDEN) link; aWiMAX link; or any other suitable wireless link.

Local area network interface 446 interfaces and provides a wirelesscommunication link 114 with wireless local area network 115. Similarly,local network interface 446 may interface to one or more types ofwireless network links 114 such as a Wi-Fi, WiMAX, or Bluetooth link.

Processor 440 may execute various programs or instruction code stored inmemory 442. Memory 442 may comprise one or more types ofcomputer-readable media. As such, memory 442 may comprise one or morememory chips, optical memory devices, magnetic memory devices, or othermemory devices.

Various programs or program modules are executable by processor 440. Theprogram modules include a routing module 450, a link monitor module 452,a session proxy module 454, and a serial port data publisher module 456.The program modules 450, 452, 454, 456 may be stored in portions ofmemory 442 or in one or move separate memories.

Routing module 450 is executed by processor 440 to route data packetsbetween wireless network 415 and backhaul or cellular network 420. Linkmonitor program 452 monitors cellular communication links 122 (layer 2)and also Internet communication links (layer 3) via backhaul or cellularnetwork 120 by sending test or probing data packets and monitoring forresponses thereto. By monitoring the sending and receiving of testpackets and responses, processor 440 executing link monitor program 452detects if either (or both) of cellular communication link or Internet118 link fails.

When processor 440, executing link monitor module 52, detects adrop-off, the dropped link is automatically reestablished to minimizethe interruption in service to the end user.

In many prior art mobile routers, when communications links are lost,the end-user's applications and network sessions are terminated. Theend-user has to restart the applications and/or session when thecommunications links and network connection are reestablished.

When processor 440 detects a failure in one or both of thecommunications link 122 or Internet 118 link, processor 440 initiatesremedial action by attempting to reestablish the link or links.Processor 440 may reestablish the link before any applications on thecorresponding mobile device 116 have to be restarted. That way, the userdoes not have to restart the applications or sessions. The user justtypically notices that the applications/sessions slowed for a briefperiod of time while the connection was being reestablished.

Link monitor module 452 as executed on processor 440 provides adaptiveprogramming. If backhaul or cellular network interface 44 receives datapackets over backhaul wireless communication link 122, processor 440sends fewer probing test data packets. Conversely, if backhaul orcellular network interface 444 does not receive data packets, processor440 sends more probing test data packets. By monitoring data packetsreceived via backhaul or cellular network interface 444, processor 440determines that the interface is functioning. Accordingly, processor 440sends data test packets less frequently.

Processor 440, executing link monitor module 452, monitors backhaulnetwork interface 444 to determine that data packets are received. Ifprocessor 440 determines that backhaul wireless communication link 122is working, then processor 440 sends fewer active probes on the backhaulor cellular network 120.

Processor 440, by executing session proxy module 454 acts as a sessionproxy for all TCP sessions going through mobile router 112. When amobile device 116 seeks to establish a TCP session with a destinationsuch as a third party server 126 coupled to Internet 118, 440 terminatesthe TCP session coming from mobile device 116 and, instead, establishesa TCP session via backhaul network interface 444 with the destination.Mobile router 112 also maintains a separate TCP session with mobiledevice 116 via local wireless communication link 114.

All end-user traffic between mobile device 116 and the destination istransparently routed through mobile router 112 during the two separatesessions. If one session such as the backhaul wireless communicationlink 122 goes down that does not negatively affect the session betweenthe mobile router 112 and mobile device 116. As a result, processor 440,executing session proxy program module 454, maintains a TCP session tomobile device 116. If applications running on mobile device 116 aredependent upon a TCP session, the applications may continue to runbecause there is a TCP session with the mobile router 112, even thoughthe TCP session over the backhaul or cellular wireless communicationlink 122 is lost. When communications via backhaul or cellularcommunication link 122 are reestablished, mobile device 116 is able tokeep running its applications and session without having to restart theapplications.

When communication over backhaul network or cellular communication link122 is interrupted, processor 440, executing session proxy programmodule 454, prevents the TCP session for wireless communication link 114to mobile device 116 from starting its back-off timers. Under TCPprotocol, mobile device 116 would normally assume that it cannot forwardpackets because of network congestion and it would accordingly start toslow down the session. In contrast, processor 440, executing sessionproxy module 454, maintains a TCP session between mobile router 112 andmobile device 116. Mobile 116 device does not assume that networkcongestion is a problem and the TCP session between mobile router 112and mobile device 116 does not slow down.

Execution of session proxy module 454 by processor 440 may be disabledby mobile device 116 via a control panel for mobile router 112 displayedon mobile device 116. A user can disable execution of session proxyprogram module 454 when the user wants to maintain a TCP session withthe destination.

Processor 440 when executing serial port data publisher module 456 makesdata received from a serial device 436 connected to a serial port 438available via mobile router 112 as a TCP stream or as some other type ofdata stream, such as HS-TCP or SCPS data stream. A remote database 125,as shown in FIG. 1 may be populated with the data from device 436 viabackhaul or cellular network 120 and Internet 118 so that data fromserial device 436 can be remotely accessed via the Internet 118.

Serial device 436 may communicate with mobile router 112 using anysuitable serial data protocol, including the USB (Universal Serial Bus)standard, the RS-232 standard, the RS-485 standard, or the IEEE 1394(FireWire) standard, for example.

Serial device 436 may be any suitable type of serial device, such as,for example, a GPS receiver. Other types of serial data devices 436 maybe used. Serial device 436 may be a vehicle telematics device thatcaptures data regarding the performance and operation of the vehicle(e.g., diagnostic data) in which the device is installed. Serial device436 may be a point-of-sale (POS) device that captures sale or paymentinformation.

Serial data device 436 may also be a remote control for an in-carentertainment system that enables downloading music, video, games, etc.,to third party systems or a device for interfacing to communicationsystems.

Rather than transmitting the data to a central server, e.g., database125 shown in FIG. 1, a remote user could access mobile router 112 toaccess the data from serial device 436 directly. In one embodiment, anauthenticated remote user could access an authentication server 123 asshown in FIG. 1 to determine the address of a specific one mobile router112. The remote user could then use that address to communicate withmobile router 112 directly. Similarly, a local end-user of the mobilerouter 112 could access the data from the serial device via the localwireless network 114.

Processor 440 can output data and command signals via serial interface438 to serial device 436. Utilizing serial interface 438, processor 440may activate and control various components and/or systems of a vehicle101. Serial device 436 may be able to shut of the vehicle engine, unlockthe doors, activate alarm functions, etc. Serial device 436 may also,according to various embodiments, perform payment functions, downloaddata, receive advertising, entertainment, gaming, and/or information, aswell as perform network management and control.

Each mobile router 112 in the embodiment includes a communication agent441. Communication agent 441, in the embodiment shown, is a programexecuted by processor 440, but in other embodiments, communication agent441 may be a separate processor and program. Communication agent 441cooperatively operates with communication server 133 shown in FIG. 1.

Processor 440 of each mobile router 112 has the ability to runapplications that can perform functions and collect data independentlyof whether or not mobile router 112 is linked to network managementsystem 120.

Each mobile router has associated with it a specific identifier that ismaintained in database 145. The specific identifier can be any uniqueidentifier such as a router serial number or a vehicle identificationnumber. Network operations center 141, utilizing communication server133, is capable of selectively communicating with each mobile router112.

Advantageously, the selective communication between each mobile router112 and network operation center 141 permits the downloading ofapplication programs 565 to each of mobile routers 112 for storage inmemory 442 on a selective basis, the communication of data obtained fromeach router 112 as a consequence of execution of a downloadedapplication program, and/or the communication of statistical informationobtained in or by a mobile router as a result of execution of anapplication program.

In addition, network operation center 141 is operable to facilitate thedownloading of application programs ordered by each mobile router 112directly or indirectly from third party servers 126.

Network operations center 145 also sends predetermined commands tospecific predetermined specific mobile routers 112 for immediateexecution or for execution at a predetermined specified interval.

As shown in FIG. 5 each mobile router 112 stores application programs inmemory 565. Each mobile router 112 is operable to collect data utilizingapplication programs 565 as well as from interfaces to the vehicle inwhich mobile router 12 is installed and/or from peripherals 430 coupledto mobile router 112 via serial data interface 438 and/or from mobiledevice 16. The collected data is marked with a timestamp and stored inmemory 442 of mobile router 112. Depending on the nature of the data,mobile router 112 may process the data and prepare the resultingprocessed data for upload or mobile router 112 may prepare the dataimmediately for upload to network management system 120. In accordancewith one embodiment, the data may be provided by a telematics device ordevices.

In certain embodiments, each vehicle 101 includes a vehicle network bus591 that typically utilizes a standardized protocol over which data orcommands may be communicated with various sensors, nodes, processors andother vehicular apparatus coupled to the vehicle network bus.

Vehicle network bus 591 is a specialized internal communications networkthat interconnects components inside a vehicle (e.g. automobile, bus,train, industrial or agricultural vehicle, ship, or aircraft). Specialrequirements for vehicle control such as assurance of message delivery,assured non-conflicting messages, assured time of delivery as well aslow cost, EMF noise resilience, redundant routing and othercharacteristics are met with the use of various standardized networkingprotocols.

Standardized vehicle network bus protocols include Controller AreaNetwork (CAN), Local Interconnect Network (LIN) and others.

Vehicle network bus 591 provides access to the various vehicleelectronic control modules in the vehicle. Some of the typicalelectronic modules on today's vehicles are the Engine Control Unit(ECU), the Transmission Control Unit (TCU), the Anti-lock Braking System(ABS) and body control modules (BCM).

A vehicle electronic control module typically gets its input fromsensors (speed, temperature, pressure, etc.) that it uses in itscomputation. Various actuators are used to enforce the actionsdetermined by the module (turn the cooling fan on, change gear, etc.).The electronic control modules need to exchange data among themselvesduring the normal operation of the vehicle. For example, the engineneeds to tell the transmission what the engine speed is, and thetransmission needs to tell other modules when a gear shift occurs. Thisneed to exchange data quickly and reliably led to the development ofvehicle network bus 591. Vehicle network bus 591 is the medium of dataexchange.

Vehicle network bus 591 is utilized to create a central network in thevehicle 101. Each electronic control modules is ‘plugged’ into thenetwork and can communicate with any other electronic control moduleinstalled on the network via vehicle network bus 591. Each electroniccontrol module controls specific components related to its function andcommunicates with the other modules as necessary, using a standardprotocol, over the vehicle network bus

Each mobile router 112 includes a vehicle network bus interface 571 anda connector 573 that connects to the vehicle network bus 591 of vehicle101. Vehicle network bus 591 is coupled to various vehicle electroniccontrol units 593.

As used herein, an electronic control unit (ECU) is any embedded systemthat controls one or more of the electrical system or subsystems in avehicle. Types of ECU include electronic/engine control module (ECM),powertrain control module (PCM), transmission control module (TCM),brake control module (BCM or EBCM), central control module (CCM),central timing module (CTM), general electronic module (GEM), bodycontrol module (BCM), suspension control module (SCM), control unit, orcontrol module. One module assembly may incorporate several of theindividual control modules. Each ECU typically includes amicrocontroller and memory. The memory is typically SRAM, EEPROM orflash memory. The memory contains embedded software to control operationof the ECU.

In one embodiment, a vehicle 101 comprises a vehicle network bus 591 anda mobile router 112. Mobile router 112 comprises a local area networkinterface 446 comprising a first wireless transceiver 446A of a firstpredetermined type to provide a link 114 to first a local area network114 and a wide area network interface 444 comprising a second wirelesstransceiver 444A of a second predetermined type to provide a link 122 toa wide area network 122. The embodiment further comprises processor 440to control operation of the local area network interface 446 and thewide area network interface 444. One of the wide area network interface444 and the local area network interface 446 is selectively operable toestablish a wireless communication link with network management system141 comprising a communication server 133. Each mobile router 112further comprises a communication agent 513, and an application 565executable by the 440 to selectively acquire predetermined data from thevehicle network bus 591. Communication agent 513 is operable to uploadthe predetermined data obtained from vehicle network bus 591 to networkmanagement system 141 of FIGS. 1, 2, 3.

Processor 440 is operable to acquire the predetermined data during timeperiods that wide area network interface 444 is not communicating withnetwork management system 141. Communication agent 513 is operable toupload the predetermined data to network management system 141 uponoccurrence of a predetermined event.

The predetermined event may comprise a predetermined time period thatmay be the time wide area network interface 444 is in communication withnetwork management system 141 and/or the predetermined event isdetermined by the predetermined data, such as, for example, data thatindicates deployment of an air bag.

Mobile router 112 stores the predetermined data in memory 567.

Processor 440 provides a time stamp for the predetermined data at thetime the predetermined acquired data is acquired. The time stamp isstored in memory 567 in association with the corresponding predetermineddata.

Processor 440 is operable to assign a priority for the predetermineddata; and is operable to execute a predetermined action to take with thepredetermined data.

Processor 440 is operable to initiate immediate upload of thepredetermined data to network management system 141 of the predetermineddata having a predetermined one assigned priority. By way ofnon-limiting example, data indicating deployment of air bags would beassigned a priority for immediate upload.

Processor 440 is operable to control upload of predetermined data havinga first predetermined one assigned priority at a first data rate.Processor 440 is operable to control upload of second predetermined datahaving a predetermined second assigned priority at a secondpredetermined data rate, the second predetermined data rate being slowerthan the first predetermined data rate.

Communication agent 513 is operable to determine if uploading of thepredetermined data is interrupted. Communication agent 513 is operablein cooperation with the communication server 133 to restore uploading ofthe predetermined data to network management system 141 from the pointof interruption when a communication link between the network managementsystem 141 communication server 133 and the communication agent 513 isrestored.

Processor 440 is operable to process the predetermined data prior to thedata being uploaded; and processor 440 is operable to store theprocessed predetermined data as the predetermined data in memory 567.

A time stamp is generated for the predetermined data when it isacquired. The time stamp is stored in memory 567 in association with thecorresponding processed predetermined data.

Communication agent 513 may be further operable to determine whenuploading occurs in cooperation with the application program or programs565.

The predetermined data may comprise statistical data and/or diagnosticdata. The diagnostic data is obtained via the vehicle network businterface 571. Processor 440 is operable to process the diagnostic datato generate message data. Communication agent 513 is operable to uploadthe message data to network management system 141 via one of the localarea network interface 446 and the wide area network interface 444.

In various embodiments, the application or applications 565 is or aredownloaded to the vehicle via one of the wide area network interface 444and the local area network interface 446.

As pointed out hereinabove, with the advent of extensive use of ECU, oneconcern is “car hacking” or placing malware onto the vehicle'selectronics control system. One typical method of “car hacking” is toreprogram of “re-flash” the ECU program memory to program malware intothe vehicle system. As used in this application the term “re-flash” isunderstood to mean the reprogramming of ECU program memory regardless ofthe type of memory.

Memory 442 includes vehicular intrusion detection program 599. Intrusiondetection program 599 is executed by one or more of processors 440.

Processor 440 executing intrusion detection program 599 utilizes networkinterface 571 to monitor data on vehicle network bus 591. Processor 440executing intrusion detection program 599 operates to detect one or moreanomalies in monitored network bus data. Upon detecting an anomaly,processors 440 generate an alert.

Intrusion detection program 599 is isolated from the other programsstored in memory 442. Memory 42 comprises a first memory portion 597that contains intrusion detection program 599 and a second memoryportion 595 comprising the other programs. By providing first memoryportion 597 and second memory portion 595, intrusion detection programmay be isolated from the other programs utilizing various memoryisolation approaches that insure the integrity of the intrusiondetection program 599.

In a first embodiment, intrusion detection program 599 comprisesstatistical anomaly detection and may utilize Bayes' Law. Bayes' Law isalso referred to as Bayes' Theorem or Bayes' Rule and is well known tothose skilled in the art of statistics.

The statistical anomaly detection provided by intrusion detectionprogram 599 may utilize a profile of normal data on the vehicle busbased upon learned data. The normal data comprises one or more of anamount of normal traffic on vehicle network bus 591, identification ofnormal messages on vehicle network bus 591, identification of normalvehicle device-to-device communication over vehicle network bus 591, andidentification of normal sensor data transmitted over vehicle networkbus.

When one or more processors 440 executing intrusion detection program599 detects an anomaly in data, messages, communications or sensor datatransmitted on vehicle network bus 591, mobile router 112 generates analert and transmits the alert to one of a man-machine interface in thevehicle via vehicle network bus 591 or serial interface 438 or LANinterface 446, and/or to a mobile device such as mobile device 116 viaLAN interface 446 or to another mobile device such as a cell phone viabackhaul network interface 444, and/or to a server accessed via backhaulnetwork interface 444 or LAN interface 446. The mobile router maytransmit the alert via a selected one of the wide area network interfaceand the local area network interface to one of a mobile device and aserver.

In another embodiment, intrusion detection program 599 comprisesspecification based anomaly detection. In this embodiment, processor 440executing intrusion detection program 599 ignores all specificationcompliant data on vehicle network bus 591 and generates an alert fordata on vehicle network bus 591 that is not specification compliant.

Specification-based anomaly detection may be utilized to detect one ormore of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications.

Intrusion detection program 591 may receive calibration informationand/or update information via wireless wide area network interface 444and the wireless local area network interface 446.

In the embodiment of FIG. 6, an anomaly detection engine 601 is providedin mobile router 112. Anomaly detection engine 601 may comprise one orboth of a statistical anomaly detection program 591 a and aspecification based anomaly detection program 591 b. In addition to theanomalies detected as described above anomaly detection engine 601 maydetect one or both of re-flashing of an electronic control unit memoryand predetermined radio frequency hub activity in the vehicle. The typeof predetermined radio frequency hub activity may include attempts tounlock or access the vehicle by transmitting various radio frequencycodes in an attempt to access a predetermined code assigned to thevehicle.

It will be appreciated by those skilled in the art that the variousfunctions of each of the plurality of mobile routers 112 may beintegrated directly into a vehicle 101.

Turning now to FIG. 7, an embodiment of a vehicle 101, comprises vehiclenetwork bus 591 and electronic control units 701 coupled to vehiclenetwork bus 591. One electronic control unit 112 a comprises: aprocessor or microprocessor 440; a memory 442; an interface 571 tovehicle network bus 591; and an intrusion detection program 599executable by processor 440. Processor 440 utilizes interface 571 tomonitor data on vehicle network bus 591 and utilizes intrusion detectionprogram 599 to detect one or more anomalies in the monitored data.Electronic control unit 112 a generates an alert upon detection of oneor more anomalies. Processor 440 may provide the alert to an in-vehicleman-machine interface such as in-vehicle display 705 or to a mobiledevice or to a server via a wide area network (WAN) wireless interface444 or a wireless local area network 446.

As with the mobile router 112 in the embodiment of FIG. 5 intrusiondetection program 599 may comprise statistical anomaly detection, andmay further comprise Bayes' Law.

The statistical anomaly detection of intrusion detection program 599 ofthe embodiment of FIG. 7 may utilize a profile of normal data on vehiclenetwork bus 591 based upon learned data. The normal data may compriseone or more of an amount of normal traffic on vehicle network bus 591,identification of normal messages on vehicle network bus 591,identification of normal vehicle device-to-device communication onvehicle network bus 591, and identification of normal sensor data onvehicle network bus 591.

Vehicle network bus 591 may comprise a Controller Area Network (CAN)bus.

Intrusion detection program 599 may further comprise specification basedanomaly detection. The intrusion detection program ignores allspecification compliant data on the vehicle network bus and generatesthe alert for data that is not specification compliant.

The specification-based anomaly detection may be utilized to detect oneor more of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications.

Wireless wide area network interface 444 is operable to receive at leastone of calibration information and update information for intrusiondetection program 599.

Vehicle 101 may comprise an anomaly detection engine 601 as shown inFIG. 8. Anomaly detection engine 601 may comprise one of statisticalanomaly detection and specification based anomaly detection. Anomaliesdetected by anomaly detection engine 601 may comprise one of re-flashingof an electronic control unit memory, and predetermined radio frequencyhub activity in vehicle 101.

In various embodiments, a method shown in FIG. 9 is provided for vehicleintrusion detection for a vehicle 101 shown in FIG. 7 comprising avehicle network 591 bus and electronic control units 701 coupled tovehicle network bus 591. The method comprises, at step 901, providingvehicle 101 with one electronic control unit 112 a comprising anintrusion detection program. The method further comprises: operatingelectronic control unit 112 to monitor data on vehicle network bus 591at step 903; storing an intrusion detection program 599 in memory 442 atstep 905; operating processor 440 to execute intrusion detection program599 to monitor data on the vehicle network bus 591 at step 907;detecting one or more types of anomalies in the monitored data at step909; and operating electronic control unit 112 a to generate an alertupon detection of one or more anomalies at step 911.

The method may further comprise utilizing statistical anomaly detectionto detect one or more types of anomalies; and may also compriseutilizing Bayes' Law to detect one or more types of anomalies.

The method may further comprise utilizing a profile of normal data onvehicle network bus 591 based upon learned data for statistical anomalydetection; and may further comprise selecting the normal data to be oneor more of an amount of normal traffic, identification of normalmessages, identification of normal vehicle device to devicecommunication, and identification of normal sensor data.

The method may further comprise operating electronic control unit 112 ato transmit the alert to one of a man-machine interface in the vehicle705, a mobile device such as a cellular phone or a pad type device orother mobile computing device, and a server.

In other embodiments, the method may comprise utilizing specificationbased anomaly detection in the intrusion detection program. The methodmay further comprise: operating the electronic control unit 112 a toignore all specification compliant data on vehicle network bus 591; andgenerating the alert for data on vehicle network bus 591 that is notspecification compliant.

Electronic control unit 112 a may have access to a wireless wide areanetwork interface 444 in the vehicle and the method may comprisereceiving at least one of calibration information and update informationfor the intrusion detection program via wireless wide area networkinterface 444.

The method may further comprise utilizing the specification-basedanomaly detection to detect one or more of acceleration patterns,braking patterns, original equipment manufacturer (OEM) providedpatterns, counterfeit airbags, spoofing of vehicle bus messages and/oridentifications, and invalid bus identifications.

The method may further comprise providing electronic control unit 112 awith an anomaly detection engine 601. The method my yet further compriseselecting the anomaly detection engine to comprise one of statisticalanomaly detection and specification based anomaly detection.

In embodiments of the method, the anomalies may comprise one ofre-flashing of an electronic control unit memory, and predeterminedradio frequency hub activity in the vehicle.

Further embodiments of the invention are directed to a method ofoperating a mobile router 112 installed in a vehicle 101 as shown inFIG. 7. Vehicle 101 comprises a vehicle network bus 591 coupled to aplurality of electronic control units. Mobile router 112 comprises: awireless wide area network interface 446, a wireless local area networkinterface 446, an interface 571 to vehicle network bus 591; a processor440; and a memory 442 comprising a plurality of programs. The pluralityof programs comprises an intrusion detection program 599 executable byprocessor 440.

The method of operating mobile router 112 shown in FIG. 10 comprises:monitoring data on vehicle network bus 591 at step 1003; utilizingintrusion detection program 599 to detect one or more anomalies in themonitored data at step 1005; and generating an alert upon detection ofone or more of anomalies at step 1007.

The method further may comprise isolating intrusion detection program599 from the other of the plurality of programs. The method may comprisestoring intrusion detection program 599 in a first memory portion 597and storing the other programs in a second memory portion 595.

The method of operating mobile router 112 may further comprise utilizingstatistical anomaly detection in the intrusion detection program. Themethod may yet further comprise utilizing Bayes' Law.

The method of operating a mobile router 112 may include transmitting thealert to one of a man-machine interface in the vehicle, a mobile device,and a server. The method may further include transmitting the alert viaa selected one of wide area network interface 446 and local area networkinterface 444 to one of a mobile device and a server.

The method of operating a mobile router 112 may further compriseutilizing a profile of normal data on vehicle bus based 591 based uponlearned data to detect anomalies. The normal data may comprise one ormore of an amount of normal traffic on vehicle network bus 591,identification of normal messages on vehicle network bus 591,identification of normal vehicle device-to-device communication onvehicle network bus 591, and identification of normal sensor data onvehicle network bus 591.

The method of operating mobile router 112 may comprise utilizingspecification based anomaly detection in the intrusion detectionprogram, and further may comprise ignoring all specification compliantdata on the vehicle network bus 591 and generating an alert for data onthat is not specification compliant.

The method of operating mobile router 112 may comprise utilizingspecification-based anomaly detection to detect one or more ofacceleration patterns, braking patterns, original equipment manufacturer(OEM) provided patterns, counterfeit airbags, and invalid busidentifications. The method may further comprise receiving at least oneof calibration information and update information for intrusiondetection program 599 via a selected one of wireless wide area networkinterface 444 and wireless local area network interface 446.

The method of operating mobile router 591 may comprise: providing ananomaly detection engine 601; and utilizing anomaly detection engine601. The method may further comprise selecting anomaly detection engine601 to comprise one of statistical anomaly detection and specificationbased anomaly detection.

The method of operating mobile router 112 may comprise detectinganomalies comprising one of re-flashing of an electronic control unitmemory, and predetermined radio frequency hub activity in the vehicle asdescribed hereinabove.

In a further embodiment, a method shown in FIG. 11 is provided foroperating a predetermined electronic control unit 112 a in a vehicle 101shown in FIG. 8. Vehicle 101 comprises: a vehicle network bus 591 andone or more electronic control units 701 coupled to vehicle network bus591. The method comprises: providing, at step 1101, vehicle 101 with apredetermined electronic control unit 112 a comprising: a processor 440;a memory 442; an interface to vehicle network bus 571; and an intrusiondetection program 599. In this embodiment, intrusion detection program599 is stored in memory 442. The method further comprises: utilizing thea predetermined electronic control unit 112 a to monitor data on thevehicle network bus at step 1103; executing the intrusion detectionprogram to detect one or more anomalies in the monitored data 1105; andutilizing the a predetermined electronic control unit 112 a to generatean alert upon detection of one or more anomalies 1107.

The method of operating predetermined electronic control unit 112 a maycomprise utilizing statistical anomaly detection in the intrusiondetection program.

The method of operating predetermined electronic control unit 112 a mayfurther comprise utilizing Bayes' Law in the intrusion detectionprogram.

The method of operating predetermined electronic control unit 112 a maycomprise transmitting the alert to one of a man-machine interface in thevehicle, a mobile device, and a server.

The method of operating predetermined electronic control unit 112 a maycomprise transmitting the alert to one of the mobile device and theserver via wireless wide area network interface 444.

The method of operating predetermined electronic control unit 112 a maycomprise operating predetermined electronic control unit 112 a toutilize a profile of normal data on vehicle bus 591, the profile ofnormal data being based upon learned data. The method may compriseselecting the normal data to comprise one or more of an amount of normaltraffic, identification of normal messages, identification of normalvehicle device-to-device communication, and identification of normalsensor data.

The method of operating predetermined electronic control unit 112 a maycomprise providing intrusion detection program 599 with specificationbased anomaly detection. The method may further comprise executingintrusion detection program 599 to ignore all specification compliantdata on the vehicle network bus; and operating the predetermined unit togenerate the alert for data on vehicle network bus 591 that is notspecification compliant.

The method of operating predetermined electronic control unit 112 a maycomprise operating predetermined electronic control unit 112 a toreceive at least one of calibration information and update informationfor the intrusion detection program via wireless wide area networkinterface 444.

The method of operating predetermined electronic control unit 112 a maycomprise utilizing specification-based anomaly detection to detect oneor more of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications.

The method of operating predetermined electronic control unit 112 a maycomprise providing the predetermined unit with an anomaly detectionengine 601. The method may further comprise selecting anomaly detectionengine 601 to comprise one of statistical anomaly detection andspecification based anomaly detection. The method of operatingpredetermined electronic control unit 112 a may comprise selecting theanomalies to comprise one of re-flashing of an electronic control unitmemory, and predetermined radio frequency hub activity in vehicle 101.

It will be appreciated by those skilled in the art that various changesand modifications may be made to the embodiments described hereinwithout departing from the spirit or scope of the invention. It isintended that the invention not be limited in any way by the embodimentsshown and described herein, but that the invention be limited only bythe claims appended hereto.

1. A method of operating a mobile router installed in a vehicle; saidvehicle comprising a vehicle network bus coupled to a plurality ofelectronic control units; said mobile router comprising: a wireless widearea network interface a wireless local area network interface; aninterface to said vehicle network bus coupled to vehicle electroniccontrol units; a processor; and an intrusion detection programexecutable by said processor; said method comprising: monitoring data onsaid vehicle network bus; utilizing said intrusion detection program todetect one or more anomalies in said monitored data; and generating analert upon detection of said one or more of anomalies.
 2. A method inaccordance with claim 1, wherein: said mobile router comprise a memory,said memory comprising a plurality of programs and said intrusiondetection program; and said method comprises: isolating said intrusiondetection program from the other of said plurality of programs.
 3. Amethod in accordance with claim 2, comprising: storing said intrusiondetection program in a first memory portion of said memory and storingsaid other of said plurality of programs in a second memory portion ofsaid memory.
 4. A method in accordance with claim 1, wherein: saidintrusion detection program utilizes statistical anomaly detection.
 5. Amethod in accordance with claim 4, wherein: said intrusion detectionprogram comprises Bayes' Law.
 6. A method in accordance with claim 4,comprising: transmitting said alert to one of a display in said vehicle,a mobile device, and a server.
 7. A method in accordance with claim 4,comprising: transmitting said alert via a selected one of said wide areanetwork interface and said local area network interface to one of amobile device and a server.
 8. A method in accordance with claim 5,wherein: said vehicle network bus comprises a Controller Area Network(CAN) bus.
 9. A method in accordance with claim 4, comprising: utilizinga profile of normal data on said vehicle bus based upon learned data.10. A method in accordance with claim 9, wherein: said normal datacomprises one or more of an amount of normal traffic, identification ofnormal messages, identification of normal vehicle device to devicecommunication, and identification of normal sensor data.
 11. A method inaccordance with claim 1, wherein: said intrusion detection programcomprises specification based anomaly detection.
 12. A method inaccordance with claim 11, comprising: ignoring all specificationcompliant data on said vehicle network bus; and generating said alertfor data on said vehicle network bus that is not specificationcompliant.
 13. A method in accordance with claim 11 comprising:receiving at least one of calibration information and update informationfor said intrusion detection program via a selected one of said wirelesswide area network interface and said wireless local area networkinterface.
 14. A method in accordance with claim 13, comprising:transmitting said alert to one of a display in said vehicle, a mobiledevice, and a server.
 15. A method in accordance with claim 13,comprising: transmitting said alert via a selected one of said wide areanetwork interface and said local area network interface to one of amobile device and a server.
 16. A method in accordance with claim 14,wherein: said vehicle network bus comprises a Controller Area Network(CAN) bus.
 17. A method in accordance with claim 11, comprising:utilizing said specification-based anomaly detection to detect one ormore of acceleration patterns, braking patterns, original equipmentmanufacturer (OEM) provided patterns, counterfeit airbags, and invalidbus identifications.
 18. A method in accordance with claim 17comprising: receiving at least one of calibration information and updateinformation for said intrusion detection program via a selected one ofsaid wireless wide area network interface and said wireless local areanetwork interface.
 19. A method in accordance with claim 1, comprising:providing an anomaly detection engine; and utilizing said anomalydetection engine.
 20. A method in accordance with claim 18, wherein:said anomaly detection engine comprises one of statistical anomalydetection and specification based anomaly detection.
 21. A method inaccordance with claim 1, wherein: said anomalies comprise one ofre-flashing of an electronic control unit memory, and predeterminedradio frequency hub activity in said vehicle.
 22. A method in accordancewith claim 1, comprising: transmitting said alert to one of a display insaid vehicle, a mobile device, and a server.
 23. A method in accordancewith claim 1, wherein: said vehicle network bus comprises a ControllerArea Network (CAN) bus.
 24. A method in accordance with claim 1comprising: receiving at least one of calibration information and updateinformation for said intrusion detection program via a selected one ofsaid wireless wide area network interface and said wireless local areanetwork interface.